Share this post

Link to post

Share on other sites

you may want to create an unofficial Win2000 MS10-074 Mfc40.dll/Mfc40u.dll/Mfc42.dll/Mfc42u.dll patch since that one is relatively easier to do. Just use the updated MFC*.DLL files from the XP (2387149) patch.

Share this post

Link to post

Share on other sites

I've finally finished porting MS10-071 to Win2k, and I added MS10-081 as well. To say that the first one was a HUGE PITA is an understatement. The changes are definitely extensive. MS10-081 is an extremely minor patch, but it took all day to track down the routine in the 2k version to patch since IDA couldn't find any debugging information.

Now that the IE patch is done, hopefully I can crank out a few easier ones this week before next week's update (and let's all hope that the one for November isn't as massive as this one was).

; -------------------------------------------------------------------------; CServer::GetMETAFILEPICT;; Zeroes out a pointer after an object is freed; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; ___report_gsfailure;; Got tired of having to figure out how to strip calls to this, so decided; to finally add it. This will make porting other routins a lot easier.; -------------------------------------------------------------------------

; Unlike the XP version, this one isn't automatically ; importing SetUnhandledExceptionFilter. Also, there ; isn't room at the beginning to add an import, so we ; have to get it the hard way with calls to ; GetModuleHandleA and GetProcAddress.

; -------------------------------------------------------------------------; CLinkElement::ReleaseStyleSheet;; Only one instruction is different from the XP version; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CLinkElement::Passivate;; No change in functionality; the patch changes it to re-use the new; CLinkElement::ReleaseStyleSheet routine; -------------------------------------------------------------------------

$637B7B17:

mov ecx, esicall $637D7E5C ; CLinkElement::ReleaseStyleSheet

; condesed the rest of the routine and put 20 NOP's at the end

; -------------------------------------------------------------------------; CLinkElement::RemoveStyleSheet;; Copied as-is, only had to fix up CALLs; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CLinkElement::Notify;; The first part reuses CLinkElement::RemoveStyleSheet rather than having; separate code here (no functionality change). The second part adds a; null pointer check. The reduction in code size from the first patch; conveniently leaves more than enough room for the second patch.; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CStyleSheet::DetermineIfFromCssSource;; Decided to copy the updated routine outright and change the references; to point to this one instead of to the original (there are only two; references and one of them is in our CLinkElement::OnDwnChan patch above);; No changes to the new routine were needed beyond fixing up CALLs.;; Filled the original with NOPs so we can use it for some purpose later.; -------------------------------------------------------------------------

$636CB584:

call $637D7FCC ; Change call in CStyleSheet::OnDwnChan to point to our new routine

; -------------------------------------------------------------------------; CStyleSheet::OnDwnChan;; Ran out of slack in the original code section, but luckily there was room for; additional section entries. Created a new code section called "patch". I can; grow this section at will, but set its initial size at 16k bytes.; -------------------------------------------------------------------------

$636CB3D9:

sub esp, $28 ; Need to make room for two more variables

$636CB57F:

mov [ebp-$24], edi mov [ebp-$28], ebx jmp $637E6000

$636CB58A:

cmp edi, ebx jz $636CB5B5 mov edi, [esi+$60] mov ecx, esi mov [esi+$64], ebx ; This and the next instruction save us a byte inc dword ptr [esi+$64] ; This way, the patch is closer to what we have to add from XP.

; -------------------------------------------------------------------------; MustValidateEventsFromElement;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; IsKeyDown;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CIntelliForms::GetDocumentWindow;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed;; Copied as-is, only had to fix up addresses; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage;; Copied as-is, only had to fix up addresses and add relocs; -------------------------------------------------------------------------

; -------------------------------------------------------------------------; CDeleteCommand::DeleteCharacter;; The patch involves grafting in a single code block. Pretty much an as-is; copy, only fixed up addresses.; -------------------------------------------------------------------------

Share this post

Link to post

Share on other sites

I'm taking a look at MS10-083, but I'd like to see if I can take a different tack. The patch involves changes to ole32.dll and wordpad.exe. When I try to run the XP WordPad it says that it can't find a routine in shlwapi that XP has but 2k presumably doesn't. It might be possible to add the necessary routines to the 2k version so the XP WordPad can be used as-is. I don't know if this is possible or worth it, but I'm looking into it.

0

Share this post

Link to post

Share on other sites

Patch for MS10-078 is up. I spent a lot of time looking at MS10-083, but it doesn't look easy. I can get the XP Wordpad to run on 2k, but that's only half the battle. ole32.dll also has to be patched as well, which I haven't figured out yet. To me it looks like MS implemented a real hack for the fix, so I decided to take a break from it and see if I could patch something else instead. MS10-078 wasn't too hard to do.

The one I really want to patch is MS10-076, but the differences between the patched version and the one in XP SP3 are massive. I need to see if there's an intermediate version that's closer to the patched one.

;==========================================================================; atmfd.dll;; Combined .text and .rdata sections so I could add a .patch section;==========================================================================

Share this post

Link to post

Share on other sites

That definitely helps. I'm seeing three routines that differ in the two newest versions. They're hard to find since none of them have names when IDA analyzes the files, but I've located the first one so far and patched the corresponding one in the 2k version. It takes a while since the 2k one is quite a bit different at the assembly level (though not so much logically). Now I'm trying to hunt down the second routine in the three files.

Edit: ID'ed the remaining two routines and patched the second (on 2k it's actually split into several routines). It looks like the patch to the second routine involved changing several comparisons and word-size memory loads from signed to unsigned, which I'm guessing is to prevent overflows. The patch to the third routine is much more extensive, which I'll start analyzing tomorrow.

On another note, there's an article on Slashdot about a nasty IE attack in the wild. If and when MS patches it I'll see what I can do. On the one hand I don't much like waiting for them to patch it, but on the other hand I'm glad that there isn't anything new this month which will give me a chance to catch up.

Share this post

Link to post

Share on other sites

It's a known fact that all official MS cumulative security updates to IE6SP1 (except a couple of rather old ones) work OK in Win 9x/ME

So I suggested testing your unofficial KB2360131 in the proper thread named (somewhat misleading) Latest MS IE6 Security Update Breaks Windows 98?, and bingo! Your update was tested and found to work, too! So, in fact, for the IE6 updates, you now have a somewhat wider user base.

However, while testing the update, Dave-H found out the puzzling fact that the modded mshtmled.dll v. 6.0.2800.1107 file you included in the unofficial update seems to be, in fact, based in the original IE6SP1's v. 6.0.2800.1106, instead of being based in the much newer v. 6.0.2800.1501 or, preferably, the 6.0.2800.1502 (the qfe branch file), both from KB896156... Have you perhaps missed it?

Well, in any case, this post is not only to discuss this point, but also to invite you to join us in discussing those updates in the above mentioned thread.

Keep on the great work, you do rock!

As an afterthought, I'd very much appreciate if you could port your mods also to the qfe branch of MSHTML.DLL (i.e.: v. 6.0.2800.1650, thus creating v. 6.0.2800.1652) since it appears to me, on closer inspection, that your modded file is derived from v. 6.0.2800.1649 (i. e.: the gdr branch) of MSHTML.DLL. Some users, like myself, do always prefer qfe branch files (except, of course, when the gdr works but the qfe doesn't, although it never happened to me). Browseui.dll and Shdocvw.dll from both branches are identical, so, for those two, no extra effort is required.

0

Share this post

Link to post

Share on other sites

As for mshtmled.dll, for some reason the newest version must not have been on my PC. I guess I'll have to reapply the patch to the newest one, though I might wait for the next IE patch first. I'm currently working on the RPC patch (the remote execution one) and it's a real bear. I might release my PE tool tonight even though it's not completely bug-free because the backlog is such that I really need help. Keeping up with these patches has taken me away from all other projects and I just can't let them languish for much longer.

0

Share this post

Link to post

Share on other sites

But what about MS10-074, WildBill? Can't you at least make an attempt to make an unofficial MS10-074 MFC patch for Win2000? Otherwise, I will find someone else who can since it's so easy to make one and it only involves just the updated MFC*.DLL files from the XP version of MS10-074.

You can do MS10-083 later on. Priority should be MS10-074, I think; and many applications depend on those MFC*.DLL files.

Edited November 15, 2010 by erpdude8

0

Share this post

Link to post

Share on other sites

I installed all these new updates today. Everything went OK; however, when I opened the "Add and remove programmes" window in the control panel after installing I got a message: "Program error. mshta.exe has generated errors and will be closed by Windows. An error log is being created." The "Add and remove programs" window was shut down.

I carried out a fresh install of W2000 and after installing all official updates through Windows Automatic Updates I started installing the new updates individually, then checking if the "Add and remove programs" window could be opened normally. Apart from the official updates, only an nVidia driver, the monitor driver and the motherboard drivers had been installed- no other software at all. KB2079403, KB2115168, KB2121546 and KB2124261 caused no errors, but when KB2183461 was installed the problem recurred.

Will carry out a total reinstall tomorrow, skipping KB2183461 to see if this update causes the problem. Hope this helps.

By the way, where can I find the error log? So far I haven't been able to find it!